Psono Review

Psono is a secure password manager that was first launched in 2017 by a developer called Sascha Pfeiffer. It is a service based in Germany - a location that is generally thought to be good for privacy.

Sascha claims to have developed the entire project single-handedly, which is an impressive feat. And, the service appears to be generally well respected considering it has only been around a couple of years. The fact that it is open-source certainly works in its favor, and the website certainly oozes quality and transparency.

So is this password manager worth your time? Is it suitable for beginners looking for a password manager? And does it have all the necessary features we have come to expect from secure password managers?

Psono Overview

Remembering tons of passwords for an ever-growing number of online accounts and services is not an easy feat. For this reason, more and more consumers are turning to secure password managers in order to get the help they need.

Psono is a password manager that is advertised as being secure because it provides end-to-end encryption that ensures only end-users ever have access to the keys needed to access the encrypted passwords stored on its servers.

Consumers can use Psono for free, and even small businesses are permitted to use the service free of charge with up to ten users. The enterprise version of the password manager adds LDAP and SAML SSO for identity management security, which allows businesses to centrally control the setting and updating of passwords, email address management, and provides the ability to deactivate user access.

The enterprise version also permits audit logging, and compliance enforcement to enforce rules on users such as forcing them to use two factor auth, for example. Businesses that require the password manager to work for more than 10 users - or who require any of these features - will need to pay around $26.50 per year for the service.

What Features does Psono Offer?

End-to-end encryption (client-side)

Strong transport security - Qualys SSL Labs rated A+

Password syncing for multiple devices

Import and export passwords from other managers

Two-factor authentication support

Password generator feature

PGP encryption

Groups

File sharing and link sharing

Multi-browser support

Autofill

Secure notes

Password capture feature

How to Setup Psono

Getting an account with Psono can be achieved easily by visiting its website. Registering requires you to choose a username and password, as well as to provide an email address for correspondence. Having to provide an email address is slightly frustrating in terms of privacy, but it is better than needing to hand over a mobile telephone number.

Need help picking a password? Why not check out our password strength checker?

Password Meter

Detailed score will come here

Once you have entered those details, you will receive a confirmation email and can begin using the service once you have confirmed by clicking on the link.

One thing we did notice, is that the confirmation email was filtered into our spam box. So be sure to check there if you can’t see it in your primary inbox. Once you have confirmed your email address, it is time to login.

We logged in with no issues and were able to start using the web portal right away. For anybody who prefers to use the software via either a Chrome or Firefox extension, the option is there to do so. However, the downloads are not available from inside the web portal. Instead, you will need to visit the website’s home page and click on downloads.

Techy users also have the option to install the WebClient onto their own server if they prefer. The web client is written in JavaScript and it can be hosted with any web server with zero dependencies. This allows users to securely store their passwords without having to rely on any public services. For those who are interested, you can find docker images for the Psono Server and Psono Web Client on its download page.

This is an interesting and useful part of the service for those that want it. However, for the vast majority of people using the web portal and extensions will be the best way to use the service.

How Easy is Psono to use?

We downloaded the Chrome extension and tested the software via the web client and the mobile application too. Starting the web client for the very first time is slightly confusing because there is no walkthrough or explanation about how to use any of the service’s features.

This may leave some beginners feeling cold. However, the reality is that you can start adding passwords easily simply by right-clicking on the screen where it tells you to:

After right-clicking on the big plus sign you can either create a folder or start saving passwords. We decided to create a folder called Social media passwords. Once a folder is created, you can start adding passwords to it by clicking on the settings symbol on the right.

The setup feature for adding passwords comes with a password generator. However, bizarrely the password generator only creates passwords that are 59% secure. This seems counterproductive considering the service is going to be remembering them on your behalf.

We recommend that you keep adding extra characters by hand until the password shows up as 100% secure. Once the password is secure enough, you can click OK and the software will save the password to your secure database.

Your passwords can be accessed at any time within the web portal by clicking Settings on the right of the specific entry and selecting copy username and copy password in order to add them manually to a login screen.

In the settings menu, users get the option to either share passwords with a contact or team member (and fellow Psono users). To share with non-team members or non-Psono users, a URL link can be set up with a passphrase to protect the link. This allows users to share a password securely via a link and even allows them to set how many times the link can be used (to ensure the recipient does not pass it on to anybody).

For anybody who wants to autofill password into websites when they visit them, it will be necessary to install a browser extension. These extensions are only available for Firefox and Chrome, so if you do want to autofill passwords you will need to use one of these browsers.

Once the extension is installed, visiting websites will automatically put the letters PW into all username and password fields. Simply click on these letters to access and autofill usernames and passwords.

Once we had the extension installed, we found the ability to store passwords and autofill them onto websites seamless. When signing up to new services, the ability to auto-generate a password and save it to your database takes away the pressure of coming up with robust passwords. However, if you are hoping for password and usernames to automatically be saved to your database from the website form that you fill in, this is not how it works. Instead, you must click on the PW in the new password field and head into the WebClient to add the new entry manually and create the password there. This is a little more complicated but

For anybody migrating from a previous password manager, Psono provides the ability to import passwords using a number of options including a CSV, JSON, or XML. To import simply click on your username in the top right and select “other” from the drop-down menu.

Here you may click import or export depending on which you want to do. Finding all these options can be a bit of a headache for the first time, however, a long as you stick to using the setup guide provided by the website, you will actually be able to find everything you need. This setup guide covers everything, has images, and is exactly what beginners need to make setting up and using Psono a walk in the park. Despite being a little daunting at first, we found this password manager to be suitable for beginners.

Is Psono Secure and Private?

Psono is somewhat unique in the way that it handles encryption, though, admittedly, the end results are identical in practice to what other password managers do.

Most secure password managers with end-to-end encryption tend to use the AES cipher to encrypt passwords locally and RSA to secure the TLS connection while uploading them to the cloud. Psono is different because it uses a combination of modern cryptographic principles to encrypt passwords client-side before uploading to servers in Germany using secure TLS 1.2 with Perfect Forward Secrecy. By doing so, Psono avoids NIST-approved algorithms that sometimes cultivate paranoia in some people.

Psono uses open-source cryptographic principles including Curve25519 and Salsa20 which leverages the NaCl (Salt) cryptographic library. Psono’s servers use open-source PyNaCl and its front-end implements ecma-nacl (the JavaScrip version of Salt).

Curve25519 offers 128 bits of security and is designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. Salsa 20 is a stream cipher designed in 2005. It is built on a pseudo-random function based on add-rotate-xor operations and is highly regarded due to its ability to encrypt at fast speeds.

For encryption at rest, Psono uses the Salsa20 stream cipher with a Poly1305MAC (message authentication code), this reduces the amount of trust you have to place in Psono’s database administrators.

Overall, these are cutting edge, modern, open-source cryptographic principles that are considered secure, which means that the end-to-end encryption can be trusted.

We tested Psono’s transport layer security using the independent auditing tool Qualys SSL Labs and were happy to find that its TLS security scored an A+. This means the TLS is configured correctly and you can trust your encrypted passwords and data to be transmitted securely to Psono’s servers in Germany.

The fact that Psono is open-source, and implements completely open-source cryptographic principles is a win in terms of security. It means that the entire client can be audited by third-party security experts to ensure that it is working as it says.

We have no reason to doubt the efficacy of Psono front and back end. However, we were not able to ascertain that it had been audited by any third parties, either. And, because it was designed from the ground up by just one person, it is possible that it could contain design vulnerabilities.

Finally, it is also worth noting that Psono gives its users the flexibility to host their passwords anywhere they want. This means that consumers can self-host and completely avoid putting anything on Psono’s servers. This is a testament to Psono’s overall mission, which appears to be, to provide a good password manager - as opposed to making a quick buck.

How Good is Psono Customer Support?

We contacted customer support via the form on its website to ask a few simple questions about using the service. Doing so did not lead to us getting a ticket response for our request. However, later that day we did receive a response to our question. Admittedly responses don't come immediately, but you aren't left waiting around for days either, which is good.

Sending a request via email was even more successful; providing us with an immediate automatic response so that we knew to expect an answer. Thus, we would tend to recommend sticking to sending an email if you do require help.

Again, a response took about half a day to come, and the company informed us that there are just two agents. This is not particularly surprising considering that this is a free-to-use, one-man project.

The fact that you do get responses is pretty amazing, and they do come within the day. The firm told us that enterprise customers with a paying account can get a “support package” which means that your support requests will be prioritized. This is a nice way of getting a problem sorted quickly.

The setup guides available on its website are useful, and they explain everything that you need to know to get the service up and running. Again, this is an excellent side of the service that allows people to get Psono up and running with minimal headache.

Admittedly, there are password managers on the market that will provide you with better support. Some even have live chat on their website. However, if you are looking for a good, open-source password manager with end-to-end encryption - and you are happy waiting a little while for a response via email - this service is definitely a good option.

What’s more, Psono’s developer Sascha has a Reddit account, and it is possible to ask questions about the service on Reddit if you wish. This is the equivalent of a red telephone that links you directly to the service’s head honcho - pretty cool and extremely useful if you have really techy questions that you would like Sascha to address directly.

My Final Thoughts

Overall, Psono is a password manager that commanded our respect. Its use of open source cryptographic principles - while not revolutionary - is interesting. And is certainly going to attract a certain privacy-conscious clientele. However, whether these choices really are better than the tried and tested AES that most password managers use is arguable.

However, the choice to make everything open source is highly commendable and there is no doubt that this password manager is extremely attractive in terms of security and privacy.

The large choice of features available with Psono is impressive, especially considering that anybody can use this password manager for free. And, even larger teams who want to make use of the ability to share passwords securely, as well as advanced features such as PGP Mail encryption, link shares, API Keys & callbacks, digital legacy, and SAML authentication - can do so for a very minimal fee.

The Psono website is a little boastful, and it is definitely designed to lure people in. On the other hand, it does a better job than most of being transparent and providing a lot of technical details about the implementation of security on the platform. While this is bound to go over most people’s heads, it is useful information.

In terms of the actual day to day use, Psono is not difficult to get accustomed to. And, thanks to its easy-to-understand setup guides it can be considered a great service for any beginner looking for a password manager. Most importantly, this password manager provides full end-to-end encryption, which means that you and only you control the keys to your passwords.